On 2022-02-09 17:25, Julien Salort wrote:
Le 09/02/2022 à 16:55, Benny Pedersen a écrit :
hope maillist users turn there dkim signers into sign only, not verify aswell, verify must only happen in dmarc
I am a little bit confused.
- why not verify dkim ? It seems fine for your message. I get:
when dkim pass there is no breakage, but dkim fail can lead to in some setups to make reject, even for maillists :/
that is a design fail on dkim
hence why i say sign only in dkim
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=94.237.105.223; helo=talvi.dovecot.org; envelope-from=dovecot-bounces@dovecot.org; receiver=<UNKNOWN> Authentication-Results: OpenDMARC; dmarc=pass (p=none dis=none) header.from=junc.eu Authentication-Results: vps2.salort.eu; dkim=pass (2048-bit key; secure) header.d=junc.eu header.i=@junc.eu header.a=rsa-sha256 header.s=default header.b=CC9G/2tV; dkim-atps=neutral
perfectly good no problem
- Is it useful to install something besides OpenDMARC (OpenARC ?), or some dedicated OpenDMARC configurations, for the ARC-Seal to be useful ?
we are all waiting for spamassassin 4, and maybe ietf stable rfc on openspf, opendkim, openarc, opendmarc, currently none of it is production stable
I suppose SPF works because the Envelope is correctly set to dovecot.org address, so I don't understand the problem the OP was mentionning.
postfix maillist have no spf helo pass, no spf pass, i think its to force pass only on dkim in dmarc :=)
i dont control dovecot.org spf, so if it recieved in arc test pass i am happy, note arc miss spf helo fail/pass
its not production stable